CAJ | 학술논문

伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为.近年来,伪装攻击检测在保障网络信息安全中发挥着越来越大的作用.文中提出一种新的用户伪装攻击检测方法.同现有的典型检测方法相比,该方法在训练阶段改进了对用户行为模式的表示方式,通过合理选择用户行为特征并基于阶梯式的序列模式支持度来建立合法用户的正常行为轮廓,提高了用户行为描述的准确性和对不同类型用户的适应性;在充分考虑shell命令审计数据时序特征的基础上,针对伪装攻击行为复杂多变的特点,提出基于多重行为模式并行挖掘和多门限联合判决的检测模型,并通过交叉验证和等量迭代逼近方法确定最佳门限参数,克服了单一序列模式检测模型在性能稳定性和容错能力方面的不足,在不明显增加计算成本的条件下大幅度提高了检测准确度.文中提出的方法已应用于实际检测系统,并表现出良好的检测性能.
위장공격시지비수권용호통과위장성합법용호래획득방문관건수거혹경고층방문권한적행위.근년래,위장공격검측재보장망락신식안전중발휘착월래월대적작용.문중제출일충신적용호위장공격검측방법.동현유적전형검측방법상비,해방법재훈련계단개진료대용호행위모식적표시방식,통과합리선택용호행위특정병기우계제식적서렬모식지지도래건립합법용호적정상행위륜곽,제고료용호행위묘술적준학성화대불동류형용호적괄응성;재충분고필shell명령심계수거시서특정적기출상,침대위장공격행위복잡다변적특점,제출기우다중행위모식병행알굴화다문한연합판결적검측모형,병통과교차험증화등량질대핍근방법학정최가문한삼수,극복료단일서렬모식검측모형재성능은정성화용착능력방면적불족,재불명현증가계산성본적조건하대폭도제고료검측준학도.문중제출적방법이응용우실제검측계통,병표현출량호적검측성능.
Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges, while pretending to be legitimate users. Masquerade detection is now one of the major concerns of system security research. This paper proposes a novel method to distinguish legitimate users from masqueraders based on shell commands and multiple behavior pattern mining. In the method, behavioral patterns of legitimate users are characterized by shell command sequences of different lengths, and hierarchical sequence supports are employed to construct the normal behavior profiles of legitimate users, which improve the precision and adaptability of user profiling. In the detection stage, a model based on multiple sequence pattern parallel mining and multiple threshold joint decision is used to determine whether the monitored user's behavior is normal or anomalous. The model gives attention to both detection accuracy and computational efficiency, and is especially applicable for on-line detection. This study empirically demonstrated the promising performance of the method, and it has succeeded in getting application in practical host-based intrusion detection systems.